Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-8vhc-hwhc-cpj4 #1825

Closed
GoVulnBot opened this issue Jun 6, 2023 · 2 comments
Assignees
Labels
excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module.

Comments

@GoVulnBot
Copy link

In GitHub Security Advisory GHSA-8vhc-hwhc-cpj4, there is a vulnerability in the following Go packages or modules:

Unit Fixed Vulnerable Ranges
github.com/rancher/rancher 2.7.4 >= 2.7.0, < 2.7.4

Cross references:

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/rancher/rancher
      versions:
        - introduced: 2.7.0
          fixed: 2.7.4
      packages:
        - package: github.com/rancher/rancher
    - module: github.com/rancher/rancher
      versions:
        - introduced: 2.6.0
          fixed: 2.6.13
      packages:
        - package: github.com/rancher/rancher
summary: Rancher users retain access after moving namespaces into projects they don't have access to
description: "### Impact\nA vulnerability was identified in which users with update privileges on a namespace, can move that namespace into a project they don't have access to. After the namespace transfer is completed, their previous permissions are still preserved, which enables them to gain access to project-specific resources (such as [project secrets](https://ranchermanager.docs.rancher.com/how-to-guides/new-user-guides/kubernetes-resources-setup/secrets#creating-secrets-in-projects)). In addition, resources in the namespace will now count toward the [quota limit](https://ranchermanager.docs.rancher.com/how-to-guides/advanced-user-guides/manage-projects/manage-project-resource-quotas/about-project-resource-quotas) of the new project, potentially causing availability issues.\n\nUser with roles `Project Owner` and `Project Member` on the source project can exploit this vulnerability; however, this would also apply to custom roles with similar privileges. \n\nThe patched version include an improved RBAC mechanism, which checks if the user has the correct permissions before the namespace move takes place.\n\n### Patches\nPatched versions include releases `2.6.13`, `2.7.4` and later versions.\n\n### Workarounds\nThere is no direct mitigation besides updating Rancher to a patched version.\n\n### For more information\nIf you have any questions or comments about this advisory:\n\n- Reach out to the [SUSE Rancher Security team](https://github.com/rancher/rancher/security/policy) for security related inquiries.\n- Open an issue in the [Rancher](https://github.com/rancher/rancher/issues/new/choose) repository.\n- Verify with our [support matrix](https://www.suse.com/suse-rancher/support-matrix/all-supported-versions/) and [product support lifecycle](https://www.suse.com/lifecycle/)."
cves:
    - CVE-2020-10676
ghsas:
    - GHSA-8vhc-hwhc-cpj4
references:
    - advisory: https://github.com/rancher/rancher/security/advisories/GHSA-8vhc-hwhc-cpj4
    - web: https://github.com/rancher/rancher/releases/tag/v2.6.13
    - web: https://github.com/rancher/rancher/releases/tag/v2.7.4
    - advisory: https://github.com/advisories/GHSA-8vhc-hwhc-cpj4

@tatianab tatianab self-assigned this Jun 7, 2023
@tatianab tatianab added the excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. label Jun 7, 2023
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/501842 mentions this issue: data/excluded: batch add 15 excluded reports

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/592761 mentions this issue: data/reports: unexclude 75 reports

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module.
Projects
None yet
Development

No branches or pull requests

3 participants